A vulnerability has been discovered in Microsoft's web browser, Internet Explorer, which could allow an attacker to take complete control of an affected system. At this point in time, no patches are available for this vulnerability. Exploitation may occur if a user visits a web page which is specifically crafted to take advantage of this vulnerability. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Please note: Proof of concept code has been published and is publically available. However, we have not received any reports of active exploitation of this vulnerability.

March 2 - UPDATED OVERVIEW:Based on additional testing performed in our lab, we have determined that Windows Server 2008 and Windows Vista are not affected by this vulnerability.

April 13 - UPDATED OVERVIEW:Microsoft Security Bulletin MS10-022 has been released with a patch for this vulnerability. Please note that this vulnerability was originally listed for Internet Explorer. However, Microsoft has determined that the vulnerability is in the VBScript Scripting Engine. VBScript (Visual Basic Script) is a programming language that is often used to make Web sites more flexible or interactive. Even though Windows Server 2008, Windows 7 and Windows Vista are not exploitable by this vulnerability, the patch should still be applied to these systems.

ORIGINAL SYSTEMS AFFECTED:

Windows XP

Windows 2000

Windows Sever 2003

Windows Server 2008

Windows Vista

Windows NT

Microsoft Internet Explorer 6

Microsoft Internet Explorer 7

Microsoft Internet Explorer 8

April 13 - UPDATE SYSTEMS AFFECTED:

Windows Vista

Windows 7

Windows Server 2008

Windows Server 2008 R2

RISK:Government:

Large and medium government entities: High

Small government entities: High

Businesses:

Large and medium business entities: High

Small business entities: High

Home users: High

ORIGINAL DESCRIPTION:
A vulnerability has been identified in Microsoft Internet Explorer that could allow an attacker to take complete control of an affected system. The is due to a vulnerability in the VBScript "MsgBox()" function allowing the execution of malicious Microsoft HELP (.hlp) files by winhlp32.exe. An attacker can exploit this vulnerability by hosting a specially crafted webpage. Once the user visits the page, a specially crafted popup box will then prompt the user to press the "F1" Help key. When the user invokes the Windows help command by pressing the "F1" key, the attacker's code will run inside the browser and exploit the vulnerability.

Successful exploitation could allow an attacker to gain the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. At this point in time, no patches are available for this vulnerability.

Please note: Proof of concept code has been published and is publically available. Based on testing in our lab, the PoC code depends on .hlp files being hosted on an SMB share on the Internet. However, this may not be the only attack vector. The PoC code can easily be modified to execute any arbitrary command.

April 13 - UPDATED DESCRIPTION:Microsoft Security Bulletin MS10-022 has been released with a patch for this vulnerability. Please note that this vulnerability was originally listed for Internet Explorer. However, Microsoft has determined that the vulnerability is in the VBScript Scripting Engine. VBScript (Visual Basic Script) is a programming language that is often used to make Web sites more flexible or interactive. Even though Windows Server 2008, Windows 7 and Windows Vista are not exploitable by this vulnerability, the patch should still be applied to these systems.

ORIGINAL RECOMMENDATIONS:
We recommend the following actions be taken:

Install the appropriate vendor patch as soon as it becomes available after appropriate testing.

Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources..